With revelations about mass surveillance in the news everywhere, an obscure feature of SSL/TLS called forward secrecy has suddenly become very interesting. So what is it, and why is it so interesting now?

Session keys generation and exchange

Every SSL connection begins with a handshake, during which the parties communicate their capabilities to the other side, perform authentication, and agree on their session keys, in the process called key exchange. The session keys are used for a limited time and deleted afterwards. The goal of the key exchange phase is to enable the two parties to negotiate the keys securely, in other words, to prevent anyone else from learning these keys.

Several key exchange mechanisms exist, but, at the moment, by far the most commonly used one is based on RSA, where the server's private key is used to protect the session keys. This is an efficient key exchange approach, but it has an important side-effect: anyone with access to a copy of the server's private key can also uncover the session keys and thus decrypt everything.

For some, the side-effects are desirable. Many network security devices, for example, can be configured to decrypt communication (and inspect traffic) when given servers' private keys. Without this capability, passive IDS/IPS and WAF devices have no visibility into the traffic and thus provide no protection.

In the context of mass surveillance, however, the RSA key exchange is a serious liability. Your adversaries might not have your private key today, but what they can do now is record all your encrypted traffic. Eventually, they might obtain the key in one way or another (e.g., by bribing someone, obtaining a warrant, or by breaking the key after sufficient technology advances) and, at that time, they will be able to go back in time to decrypt everything.

Diffie–Hellman key exchange

An alternative to RSA-based key exchange is to use the ephemeral Diffie-Hellman algorithm, which is slower, but generates session keys in such a way that only the two parties involved in the communication can obtain them. No one else can, even if they have access to the server's private key.1

After the session is complete, and both parties destroy the session keys, the only way to decrypt the communication is to break the session keys themselves. This protocol feature is known as forward secrecy.2

Now, breaking strong session keys is clearly much more difficult than obtaining servers' private keys (especially if you can get them via a warrant). Furthermore, in order to decrypt all communication, now you can no longer compromise just one key (the server's), but you have to compromise the session keys belonging to every individual communication session.

SSL and forward secrecy

SSL supports forward secrecy using two algorithms, the standard Diffie-Hellman (DHE) and the adapted version for use with Elliptic Curve cryptography (ECDHE). Why isn't everyone using them, then?

Spotlight

Microsoft Edge, the new browser in Windows 10, represents a significant increase in the security over Internet Explorer. However, there are also new potential threat vectors that aren’t present in older versions.

35 percent of employees would sell information on company patents, financial records and customer credit card details if the price was right. This illustrates the growing importance for organizations to deploy data loss prevention strategies.

Sun Tzu's writings have been studied throughout the ages by professional militaries and can used to not only answer the question of whether or not we are in a cyberwar, but how one can fight a cyber-battle.

Infosec consultant Paul Moore came up with a working solution to thwart a type of behavioral profiling. The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM.